Indictment reveals theft of one billion email addresses from ESPs, three charged

Prosecutors say the defendants were behind one of the largest reported data breaches in U.S. history.

In newly unsealed court documents, three men were charged for their roles in a scheme that entailed hacking U.S. email service providers (ESPs) and using stolen email addresses to spam tens of millions of users to peddle products.

On Friday, the Department of Justice announced that two of the men, Viet Quoc Nguyen and Giang Hoang Vu, were Vietnamese citizens who lived in the Netherlands, while the third defendant, David-Manuel Santos Da Silva, was a resident of Montreal, Canada. The indictment against Nguyen and Vu, and a guilty plea from one defendant, were unsealed Thursday.

Between February 2009 and June 2012, Nguyen, 28, allegedly hacked into at least eight ESPs, stealing “confidential information, including proprietary marketing data containing over one billion email addresses,” the DOJ release said.

Nguyen and Giang Vu, 25, then used the stolen data to spam “tens of millions of email recipients,” the agency continued, describing the data breach as “one of the largest reported data breaches in U.S. history.”

As part of the racket, Da Silva, the co-owner and president of 21 Celsius in Canada, allegedly had a business arrangement with Nguyen, an affiliate marketer, which allowed the two to rake in $2 million through the sale of products marketed via hyperlinks in spam emails.

Vu, who was arrested in the Netherlands in 2012 prior to his March 2014 extradition to the U.S., pleaded guilty last month to conspiracy to commit computer fraud. He is scheduled for sentencing on April 21, 2015, while Da Silva is scheduled to be arraigned on Friday in Atlanta before Magistrate Judge E. Clayton Scofield III.

Nguyen is still at large, the Justice Department said.

Acting U.S. Attorney Horn of the Northern District of Georgia said in a statement that the case “reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” he continued.

“And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data – they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites,” Horn said.